OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of RatherOldMan »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - RatherOldMan

Pages: [1]
1
23.1 Legacy Series / Re: Connection Problems in LAN
« on: March 14, 2023, 06:31:40 pm »
Sorry I'm a bit desperated.

If I have a problem I couldn't really understand I'm in heavy doubt about my technical understanding at all.

I tried this:
https://docs.netgate.com/pfsense/en/latest/routing/static.html#asymmetric-routing

So i create such rules on the LAN Interface and on Floating: ALL TCP Flags and Sloppy state.

And - it worked. I will test it further tomorrow - now I have to make the fodder for our two dogs.

Wave,
The RatherOldMan


2
23.1 Legacy Series / Re: Connection Problems in LAN
« on: March 14, 2023, 05:16:46 pm »
Thx pmhausen,

can i solve that issue with ICMP Redirects?

The Clients gets the Information from A to directly connect to Router B.
So that the resulting connection is symmetric:
Client > B > Server
Server > B > Client

You said that you enable ICMP Redirects in trusted networks.
Maybe I misconfigured the OPNsense to send ICMP Redirects?

net.inet.ip.redirect = 1

Is it more than this?

Can someone pls confirm that ICMP Redirects are working with OPNsense 23.1.3_4?

Wave,
The RatherOldMan

3
23.1 Legacy Series / Re: Connection Problems in LAN
« on: March 14, 2023, 03:45:44 pm »
Isn't this asymmetric routing?

Client in MAIN
> Firewall MAIN
> Firewall SUB
> Server in SUB

Server in SUB
> Firewall SUB
> Client in MAIN

Is there a better way to connect two local networks where both uses different OPNsense as Default Gateway?

4
23.1 Legacy Series / Re: ICMP Redirect - or NOT
« on: March 09, 2023, 05:31:12 pm »
Thx pmhausen.

The client receives ICMP Redirects. So the problem must be something else.

I guess its not the problem to start the application itself from the share.

I guess it has something to do with the Database-Connection, the application wants to connect to a Database-Server in the SUB network. Because it didn't receive a (good) result - it can't start well.

Another Software which work with Client-to-Database-Server looses connection to the server in the SUB network if I try to request more data at startup. But only at the first start of that client - further on it work.

Wave,
The RatherOldMan

5
High availability / Re: [SOLVED] no CARP VIP entry in NAT > Outbound > Translation / target available
« on: March 09, 2023, 05:20:37 pm »
Hi Franco,

atm i couldn't answer this - i deleted the whole CARP settings because of my disconnection / unstable connection problems.

https://forum.opnsense.org/index.php?topic=32856.0

Wave,
The RatherOldMan

6
23.1 Legacy Series / Re: ICMP Redirect - or NOT
« on: March 08, 2023, 08:12:01 am »
Hi,

I agree - Default Setting to OFF is a good idea. A lot of users won't need it.

But can I somehow test if the NEW MAIN-Firewall really sends a ICMP Redirect? So that I have to continue my search for the problem?

Atm I don't know if it send a ICMP Redirect.
On the search in the internet I read something about ICMP Redirects not working in FreeBSD. But that was about Version 11 if I remember correctly. Currently I don't find that source again.

So I try to ask more detailed:
Is there a log where I should see that ICMP Redirects the MAIN-Firewall is sending?
Is there a BUG so that ICMP Redirect currently is not working?
Or is there a decision not to use ICMP Redirects anymore because of security reasons so that it couldn't be enabled?
Or do I have a total misunderstanding from that scenario because my skill of knowledge isn't high enough?

Wave,
The RatherOldMan

7
High availability / Re: [SOLVED] no CARP VIP entry in NAT > Outbound > Translation / target available
« on: March 07, 2023, 10:28:55 pm »
Hi Franco,

yes and no.

I can choose "LAN net" from a list.
So I thought the Translation / target is ALSO choosen from a list, entry is called "CARP virtual IP".
Old Humans are silly...

So I think it will be a good idea to add your "more robust solution":

Go to Firewall Aliases.
Create a Host(s)-alias for the CARP IP.

Go to Firewall NAT Outbound. ...

Cheers,
The RatherOldMan

8
23.1 Legacy Series / Connection Problems in LAN
« on: March 07, 2023, 10:14:25 pm »
Hi All.

I have these two LANs: MAIN and SUB.

Because clients from MAIN have to access some services in SUB and the other way around the SUB-Firewall is connected directly to the MAIN LAN with an interface.

Now I want to exchange the MAIN Firewall because it is an VERY old pfSense 2.2.5.
So I configured two new OPNsense HA Firewalls.

Now I have the problem:
On a client in the MAIN LAN i try to start a application from a share in the SUB LAN.
I can access the share - the connection speed is good. I can transfer files etc.
But the application starts VERY slow and is unusable.
The application self trys to connect to a service on the same host where the share is located.
It feels like the connection is stuttering.

If i use the OLD MAIN Firewall (pfSense) I do not have that problem.

SUB Firewall is OPNsense 20.1.7
NEW MAIN Firewall is OPNsense 23.1.1_2 HA

I added the Gateway 10.0.1.12
I created a static route to the SUB LAN over that Gateway

Firewall > Settings > Advanced:
Disable force gateway: [X] Disable automatic rules which force local services to use the assigned interface gateway
Static route filtering: [X] Bypass firewall rules for traffic on the same interface

In my (outdated?) simple knowledge from what is going on:

- the client asks his default gateway (MAIN) where he will find the SUB-Host
- the MAIN-Firewall tells the client that he should go to the SUB-Firewall
- the client connects to the SUB-Firewall and can access the SUB-Host

I tested that routing-idea on the client and create a route on the client to the SUB LAN over the SUB Firewall.
The application starts very well, looks good!
But why is the Gateway (MAIN) not answering THIS question about the route?

I took a deeper look at the differences between the NEW and the OLD and find
net.inet.ip.redirect
is ACTIVATED on the OLD - and DEACTIVATED on the NEW.

So I thought: yes, that could be.
The client receive an ICMP Redirect from his gateway (MAIN) so that he tries to connect over the SUB-Firewall.
I activated net.inet.ip.redirect = 1
But nothing changed.

BTW: Its no difference if i use the CARP IP or the IP from the Firewall itself.

Its still stuttering.

So: BUG? Or no ICMP Redirects anymore because of security reasons? Or do I have a total misunderstanding from that scenario?

Hints are very welcome ;)

Thx

9
High availability / Re: no CARP VIP entry in NAT > Outbound > Translation / target available
« on: February 21, 2023, 11:03:22 am »
 :)

Thx - works like a charm.

It should be mentioned in the HowTo.

https://docs.opnsense.org/manual/how-tos/carp.html

Wave,
The RatherOldMan

10
High availability / [SOLVED] no CARP VIP entry in NAT > Outbound > Translation / target available
« on: February 20, 2023, 10:17:28 pm »
Hi all,

I installed two OPNsense identical Hardware-Firewalls, both updated to Version 23.1.1_2.

I configured High Availibility and the syncing works fine.

I configured a virtual CARP IP for the WAN Interface - ok - see it on the backup firewall.

But i cannot change Outbound NAT to that CARP VIP - there is no entry for that in Translation / target.

Only
- Single host or Network
- WAN address
- PFSYNC address
- LAN address

I tried an IP Alias on WAN - also not in that list.

Thx

The RatherOldMan



Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2